
There’s yet another reason to view email messages in plain text format instead of HTML. Hackers are increasingly ‘salting’ scam emails with text invisible to human readers, which deceives security systems.
For you, it reads “WELLS FARGO.” For the email spam filter, it’s “WEqcvuilLLS FAroyawdRGO.” This gibberish should be an obvious red flag for both. However, some security systems can be bypassed using HTML/CSS trickery.
Since the start of the second half of 2024, Cisco Talos has observed an increase in the number of email threats containing similar text salting, also known as poisoning.
The fraudulent email looks normal to users viewing it in HTML. However, the text is altered for email parsers.
By inserting hidden characters into an email's source code, fraudsters achieve multiple goals. They evade brand name extraction by email parsers, confuse language detection procedures, and prevent security tools from properly decoding and analyzing attachments.
“Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords,” the report reads.
Filters fail to detect keywords, language
Hackers use ‘salting’ for at least three different purposes. Spam filters often rely on keyword detection, and salting can help bypass this check.
To masquerade as a well-known brand, such as Wells Fargo, fraudsters tweak the name in HTML with style tags. They specify that only the letters in the real brand name are visible to the user, while the inserted characters between those letters are set to ‘hidden.’
In another case, fraudsters were impersonating the Norton LifeLock brand. The fraudulent emails contained zero-width characters inserted between the letters.

The second purpose is to confuse language detection. During one campaign, spammers sent emails impersonating the Harbor Freight brand. For the receivers, it reads in English. However, spam emails contained several French words and sentences that were visually hidden. This way, hackers tricked Microsoft’s language detection module and bypassed the security check.
The third type of spam relies on smuggling attachments that bypass security filters. Threat actors add HTML attachments salted with multiple irrelevant comments between the base64-encoded characters, which prevents parsers from easily putting the strings together and decoding them.
Fighting these scams requires advanced filtering techniques that rely on AI and visual features, Cisco Talos suggests. For example, filtering systems could be made to identify questionable usage of CSS properties like visibility (e.g., "visibility: hidden") and display (e.g., "display: none") that are frequently used to conceal text.
“Protecting against these sophisticated and devious threats requires a comprehensive email security solution that harnesses AI-powered detections,” the researchers said.
Viewing emails in HTML can also bring other risks. Cybernews recently reported on a critical zero-click vulnerability affecting Microsoft Outlook users. To exploit it, attackers could send specially crafted emails to victims, and the malicious payload would run when the Microsoft Outlook application displays a preview without actually opening an email.
As a workaround, Microsoft itself recommended that “users read email messages in plain text format” that doesn’t view pictures, specialized fonts, animations, or other rich content.
Your email address will not be published. Required fields are markedmarked